Targeted Threat Protection - URL Protect - Configuring URL Protect Definitions

Updated

This article contains information on configuring URL Protect in Mimecast, including inbound, outbound, and journal settings, URL rewrite modes, advanced similarity checks, and actions for handling unsafe URLs in messages and attachments.

Re-written URLs will have a different destination domain depending on the grid/region your account is hosted in.
In case you have systems implemented that need to be aware of such URLs (i.e., parsing of information, Firewalls, Proxies, etc.), please see Data Centers & URLs, and navigate to the Targeted Threat Protection (TTP) section for your region.

To configure a URL Protect definition:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to the Gateway | Policies | URL Protection menu item.
  3. Click on the Definitions button.
  4. Any existing definitions are listed.
  5. Click on either of the following:
    • New Definition button to create a new definition
    • Definition to be changed.
  1. Enter a definition description in the Definition Narrative field. This is kept in the archive if the definition is applied.
  2. Complete the following sections:
  1. Click on the Save and Exit button.

We do not rewrite the following domains:

  • login.mimecast.com
  • login-uk.mimecast.com
  • login-de.mimecast.com
  • login-au.mimecast.com
  • login-us.mimecast.com
  • login-usb.mimecast.com
  • login-za.mimecast.com
  • login-ca.mimecast.com

Inbound Settings

Field / Option Description
Enable Inbound Check If selected, the fields below are displayed. When setting up inbound checks, use a policy with the correct routing to activate this definition.
Rewrite Mode Select one of the following URL rewrite modes:
  • Aggressive: Rewrites strings rewritten by the Relaxed and Moderate settings plus anything that looks like a URL or contains similar formatting (e.g., IP addresses, http://, www., or .co.uk).
  • Moderate: Rewrites strings rewritten by the Relaxed setting plus strings that contain a valid URL or path (e.g., IP addresses, www.domain.com).
  • Relaxed: Rewrites only URLs that contain valid URLs and top-level domains (e.g., http://www.domain.co.uk).
URL Category Scanning Specify how aggressively the URL categorization engine operates on dangerous URL categories. Other detection capabilities are not altered when changing this setting. The categories blocked by each set are:
Category Description Relaxed Moderate Aggressive
Compromised Sites are known to contain malware, phishing, or spam products. Y Y Y
Phishing & Fraud Fraudulent sites purport reputable companies to induce individuals to reveal personal information (e.g., passwords or credit card numbers). Y Y Y
Spam Sites Sites that send irrelevant or unsolicited messages, typically to many users, for advertising, phishing, spreading malware, etc. N Y Y
Suspicious Sites that are either known to be malicious or potentially malicious. N Y Y
Malware Sites contain software designed to disrupt, damage, or gain unauthorized access to a computer system. Y Y Y
Botnets Sites are a network of private computers infected with malicious software and controlled as a group without the owner's knowledge (e.g., to send spam). Y Y Y
Private IP Addresses Private networks that use private IP address space (e.g., local area networks in residential, office, and enterprise environments). N N Y

Machine Learning

Our machine learning model enhances resilience against zero-day and emerging phishing attacks, and is designed to target zero-day and emerging threats with a low false-positive rate.
The model can analyze URLs when clicked as well as via the Check URL function in the Administration Console. Detections made by the model will be shown in the Targeted Threat Protection (TTP) URL Logs – Scan details section in the Administration Console.

The Rewrite Mode does not need to be set to Aggressive.

 N N Y
QR Code Image Action Specify the action taken when a QR Code that contains a URL is scanned and classified as Malicious. This can be either of the following options:
  • Reject: The message containing the Malicious URL will be rejected.
  • Hold: The message containing the Malicious URL will be held.
Action Specify the action taken when an unsafe URL is detected in a message or attachment. All clicks are logged.
Action Detected URL (in message body or subject) Detected URL in an Attachment
Allow Users can access the link. The message is delivered with the attachment.
Warn A warning page is displayed, but users can continue to the original destination.

The attachment is stripped from the message before the message is delivered to the end user.
A notification provides detection details but allows the end user to release the attachment.

If the attachment is released and you have an attachment protection policy active using sandboxing, we'll release the attachment to the sandbox before releasing it to the end user.
Block A block page is displayed. Users are prevented from accessing the URL. The attachment is stripped from the message before the message is delivered to the end user.
A notification provides details and informs the end user to contact their administrator if they need to release the attachment.
Disable Browser Isolation

Allows you to turn off the browser isolation functionality. See Browser Isolation Overview
This provides a safe browser session, located in one of our data centers, for websites that are considered suspicious.

This field is only displayed if the "Action" field is set to "Block."
Message Subject Protection Microsoft Outlook for Windows automatically converts URLs in the message's subject to hyperlinks. This option specifies how they are handled:
  • None: URLs in the message subject are ignored. URLs will not be scanned if clicked.
  • Remove URLs: URLs are removed from the message's subject.
  • Rewrite URLs: URLs in the message's subject are rewritten, so they are scanned.

 

Rewritten links can be up to 200 characters long. Choosing "Rewrite URLs" will visibly alter the format of the message subject.
Create Missing HTML Body Specifies whether inbound plain text emails are reformatted as HTML. Doing so allows URLs to be rewritten.
Force Secure Connection All links protected by Targeted Threat Protection - URL Protection are rewritten as HTTPS by default. If enabled, this option rewrites all links as HTTPS. If disabled, all links are rewritten as HTTP. A confirmation displays if this option is disabled.
Set to Default Specifies this as the default definition. Any previously rewritten links that do not have a valid policy will use this definition. This option can only be set on one definition.
Ignore Signed Messages If enabled, URL Protection is not applied to digitally signed messages. This ensures the message's signature remains intact but means the URLs are not rewritten.
Display URL Destination Domain  If enabled, the URL's destination domain is displayed at the end of the rewritten link. For example:
protect-eu.mimecast.com/s/1dBvZWHZ?url.uk.m.mimecastprotect.com
Strip External Source Mode

If set to "Aggressive," all external components are removed from the message body. This includes CSS, SVG files, font types, and HTML tags (e.g., <embed>, <iframe>, <frame>, <object>, <form>).

This may impact the formatting and readability of messages.
File Protocol URL Handling This can protect against hash-jacking attempts by checking for URLs that use the "file://" protocol. The options are:
  • Off: No protection against hash-jacking attempts is provided.
  • Hold: Messages with URLs containing a "file://" protocol are held in the Held Message queue.

No notification is issued even if the "Enable Notifications" option is selected. This can be mitigated by ensuring your Firewall is configured correctly (e.g., blocking SMB traffic).

  • Strip: Messages with URLs containing a "file://" protocol have the URL scheme replaced with "***."

 

The URL Category Scanning option must be set to 'Aggressive' for the File Protocol URL Handling setting to take effect. If the URL Category Scanning option is set to 'Moderate' or 'Relaxed,' the File Protocol URL Handling option is consequently set to 'Off' and will not be applied.
Block URLs Containing Dangerous File Extensions Specifies whether URLs containing file extensions that commonly have malware are blocked.
This is a balance between files that have a high-security threat versus files that are commonly used and would create too much additional burden on end-users if considered unsafe.
See What is a Dangerous File Type?.
Rewrite URLs Found in Attachments If this option is selected, you can choose one or more of the following attachment parts to rewrite:
  • HTML (.HTM)
  • Text (.TXT)
  • Calendar (.CAL)

Each of these looks for file attachments in the message of the same file type and rewrites any URLs found in them.

Rewriting URLs found in PDF files is not supported.

URL File Download 

Malicious detections are logged under the Monitoring | URL Protection menu item.

If enabled, a check is made to ascertain if the URL points to a download file of the specific file types listed below. If a URL points to one of these file types and is found to be potentially dangerous, you can set this option to warn or block the file. You can sandbox the file if you have Targeted Threat Protection – Attachment Protect.
HTML, TXT, PDF Archived files in .ZIP, .BZIP, .GZIP, .JS, .RAR, .TAR, .LHA, .LZH and .XZ format, all Microsoft Office file formats, and all Open Office file formats.

If User Awareness notifications are enabled, users can download the scanned file via the email notification for 12 hours, after which they'll be retaken through the checking process.

Scan URLs in Attachments

Malicious detections are logged under the Monitoring | URL Protection menu item.

The supported file types are as follows:

  •  HTML, TXT, PDF
  •  Archived files in formats such as .ZIP, BZIP, .GZIP, .JS, .RAR, .TAR, .LHA, .LZH and .XZ.
  •  All Microsoft Office and Open Office file formats 

Considerations:

  • If selected and URL File Download is set to Warn, attachments with links to file downloads will be blocked. We recommend setting the URL File Download to Sandbox.
  • If selected, attachments that are 50 MB or less and supported by the safe file option are checked to ensure they contain no malicious URLs.
  • Encrypted files exceeding 40 MB are considered malicious, and links are stripped for all other files; this is 50 MB.
  • This option also works with compressed files, with the individual files scanned as if they weren't part of a compressed file. If malicious links are found in an attachment, the action taken depends on the "Action" setting (above). Stripped files are logged under Monitoring | Attachments in the Administration Console.
Advanced Similarity Checks If selected URLs are checked for advanced attacks, where links appear similar to your internal and monitored external domains. Select at least one of the additional options below:
  • Check Internal Domains: Check links against your internal domains.
  • Check Mimecast Monitored External Domains: Checks links against Mimecast monitored external domains.
  • Check Custom-Monitored External Domains: Check links against your custom-monitored external domains. To update your custom domains, click the Custom Monitored External Domains button at the top of the URL Protection definition list. See the Targeted Threat Protection: Custom Monitored External Domains page for more information.
  • Action: Select the action to take when a similar link is detected:
    • Allow: Allows the user to access the link and log their activities.
    • Warn: Shows a warning page to the user. Allow them to choose to access the link and log their actions.
    • Block: Block the user from accessing the link and show a block page.
Enable User Awareness If enabled, user awareness messages are displayed in the user's browser when links are clicked in a message.
  • User Awareness Challenge Percentage: Select the frequency for displaying user awareness pages to the user when URLs in messages are clicked.
  • Disable User Awareness Dynamic Challenge Adjustment: By default, incorrectly responding to user awareness prompts increases the frequency of the prompts displayed to the user. Select this option to turn off the adjustments.
  • Use a Custom Page Set: Select this option to apply a previously configured customized User Awareness Page Set via the drop-down menu that displays. See the URL Protection User Awareness page for configuring custom page sets.

 

We recommend enabling user awareness in your Account Settings. Allowing user awareness without authentication can result in a security risk. For further details, see the Targeted Threat Protection: Configuring URL Protect User Awareness page.
Enable Notifications If enabled, notifications can be sent to specific users should a policy be triggered. You can notify the following:
  • Notification Group: Use the Lookup button to select a group of users to be notified when a user clicks on an unsafe URL.
  • Notification URL Format: Controls the format of the rewritten URL notification sent to the group of users specified in the "Notification Group" option. The options are:
    • Safe URL: URLs are scanned and blocked if considered unsafe.
    • Safe URL with Preview: URLs are displayed on a web page showing the original link.

Outbound Settings

Outbound settings are only displayed if Targeted Threat Protection is enabled on your account: Internal Email Protection.

Field / Option Description
Enable Outbound Check If selected, the fields below are displayed. When setting up outbound checks, use a policy with the correct routing to activate this definition.
URL Mode Specify the URL check mode:
  • Aggressive: Checks anything that looks like a URL or contains similar formatting (e.g., http://, www., or .co.uk).
  • Moderate: Checks only when the URL contains a valid URL or path (e.g., www.domain.com).
  • Relaxed: Checks only URLs that contain a valid scheme (i.e., http:// or https://).
URL Category Scanning Specify how aggressively the URL categorization engine operates on dangerous URL categories. Other detection capabilities are not altered when changing this setting. The categories blocked by each set are:
Category Description Relaxed Moderate Aggressive
Compromised Sites are known to contain malware, phishing, or spam products. Y Y Y
Phishing & Fraud Fraudulent sites purport reputable companies to induce individuals to reveal personal information (e.g., passwords or credit card numbers). Y Y Y
Spam Sites Sites that send irrelevant or unsolicited messages, typically to many users, for advertising, phishing, spreading malware, etc. N Y Y
Suspicious Sites that are either known to be malicious or potentially malicious. N Y Y
Malware Sites contain software designed to disrupt, damage, or gain unauthorized access to a computer system. Y Y Y
Botnets Sites are a network of private computers infected with malicious software and controlled as a group without the owner's knowledge (e.g., to send spam). Y Y Y
Private IP Addresses Private networks that use private IP address space (e.g., local area networks in residential, office, and enterprise environments). N N Y
QR Code Image Action Specify the action taken when a QR Code that contains a URL is scanned and classified as Malicious. This can either of the following options:
  • Reject: The message containing the Malicious URL will be rejected.
  • Hold: The message containing the Malicious URL will be held.
Gateway Action Select the gateway action (or fallback action) to take if a message containing an unsafe URL is detected. A fallback measure is only applied if we cannot check a URL.
  • None: The message is delivered to the recipients.
  • Hold: The message is sent to the hold queue and not delivered to the recipients.
  • Bounce: The message is rejected and not delivered to the recipients.

 

These settings only display if you've purchased Internal Email Protection.
Gateway Fallback Action
User Mailbox Action Select the action (or fallback action) to take if a message containing an unsafe URL is detected. A fallback measure is only applied if we cannot check a URL.
  • None: No action is taken, and the message is delivered to the recipients.
  • Remove Message: The detected message is removed from the user's mailbox.

 

  • These settings only display if you've purchased Internal Email Protection.

  • Only Microsoft O365 and on-prem exchange are fully supported. Everything else will only receive notifications.
User Mailbox Fallback Action
Block URLs Containing Dangerous File Extensions Specifies whether URLs containing file extensions that commonly have malware are blocked.

Scan URLs in Attachments

Malicious detections are logged under the Monitoring | URL Protection menu item.

The supported file types are as follows:

  •  HTML, TXT, PDF
  •  Archived files in the formats such as .ZIP, .BZIP, .GZIP, .JS, .RAR, .TAR, .LHA, .LZH and .XZ.
  •  All Microsoft Office and Open Office file formats 

Considerations:

  • If selected and URL File Download is set to Warn, attachments with links to file downloads will be blocked. We recommend setting the URL File Download to Sandbox.
  • If selected, attachments that are 50 MB or less and supported by the safe file option are checked to ensure they contain no malicious URLs.
  • Encrypted files exceeding 40 MB are considered malicious, and links are stripped for all other files; this is 50 MB.
  • This option also works with compressed files, with the individual files scanned as if they weren't part of a compressed file. If malicious links are found in an attachment, the action taken depends on the "Action" setting (above). Stripped files are logged under Administration | Monitoring | Attachments in the Administration Console.

URL File Download

Malicious detections are logged under the Monitoring | URL Protection menu item.

If enabled, a check is made to ascertain if the URL points to a download file of the specific file types listed below. If a URL points to one of these file types and is found to be potentially dangerous, you can set this option to warn or block the file. You can sandbox the file if you have Targeted Threat Protection – Attachment Protect.
HTML, TXT, PDF Archived files in .ZIP, .BZIP, .GZIP, .JS, .RAR, .TAR, .LHA, .LZH and .XZ format, all Microsoft Office file formats, and all Open Office file formats.

If User Awareness notifications are enabled, users can download the scanned file via the email notification for 12 hours, after which they'll be retaken through the checking process.
Advanced Similarity Checks If selected URLs are checked for advanced attacks, where links appear similar to your internal and monitored external domains. Select at least one of the additional options below:
  • Check Internal Domains: Check links against your internal domains.
  • Check Mimecast Monitored External Domains: Checks links against Mimecast monitored external domains.
  • Check Custom-Monitored External Domains: Check links against your custom-monitored external domains. To update your custom domains, click the Custom Monitored External Domains button at the top of the URL Protection definition list. See Custom Monitored External Domains for more information.
Enable Notifications If enabled, notifications can be sent to specific users should a policy be triggered. You can notify the following:
  • Notification Group: Use the Lookup button to select a group of users to be notified when a user clicks on an unsafe URL.
  • Internal Sender: If selected, a notification is sent to the message's internal sender if there is an unsafe URL.

Journal Settings

Journal settings are only displayed if Targeted Threat Protection is enabled on your account: Internal Email Protect.

Field / Option Description
Enable Journal Check If selected, the fields below are displayed. When setting up journal checks, use a policy with the correct routing to activate this definition.
URL Mode Specify the URL check mode:
  • Aggressive: Checks anything that looks like a URL or contains similar formatting (e.g., http://, www., or .co.uk).
  • Moderate: Checks only when the URL contains a valid URL or path (e.g., www.domain.com).
  • Relaxed: Checks only URLs that contain a valid scheme (i.e., http:// or https://).
URL Category Scanning Specify how aggressively the URL categorization engine operates on dangerous URL categories. Other detection capabilities are not altered when changing this setting. The categories blocked by each set are:
Category Description Relaxed Moderate Aggressive
Compromised Sites are known to contain malware, phishing, or spam products. Y Y Y
Phishing & Fraud Fraudulent sites purport reputable companies to induce individuals to reveal personal information (e.g., passwords or credit card numbers). Y Y Y
Spam Sites Sites that send irrelevant or unsolicited messages, typically to many users, for advertising, phishing, spreading malware, etc. N Y Y
Suspicious Sites that are either known to be malicious or potentially malicious. N Y Y
Malware Sites contain software designed to disrupt, damage, or gain unauthorized access to a computer system. Y Y Y
Botnets Sites are a network of private computers infected with malicious software and controlled as a group without the owner's knowledge (e.g., to send spam). Y Y Y
Private IP Addresses Private networks that use private IP address space (e.g., local area networks in residential, office, and enterprise environments). N N Y
User Mailbox Action Select the action (or fallback action) to take if a message containing an unsafe URL is detected. A fallback measure is only applied if we cannot check a URL.
  • None: No action is taken, and the message is delivered to the recipients.
  • Remove Message: The detected message is removed from the user's mailbox.

In non-Exchange environments, automatic remediation is not supported. However, if a support journal connector is used, you can leverage detection and, through these alerts, perform manual remediation.

 

  • These settings only display if you've purchased Internal Email Protection.
  • Only Microsoft O365 and on-prem exchange are fully supported. Everything else will only receive notifications.
User Mailbox Fallback Action
Block URLs Containing Dangerous File Extensions Specifies whether URLs containing file extensions that commonly have malware are blocked.

Scan URLs in Attachments

Malicious detections are logged under the Monitoring | URL Protection menu item.

The supported file types are as follows:

  •  HTML, TXT, PDF
  •  Archived files in the formats such as .ZIP, .BZIP, .GZIP, .JS, .RAR, .TAR, .LHA, .LZH and .XZ.
  •  All Microsoft Office and Open Office file formats 

Considerations:

  • If selected and URL File Download is set to Warn, attachments with links to file downloads will be blocked. We recommend setting the URL File Download to Sandbox.
  • If selected, attachments that are 50 MB or less and supported by the safe file option are checked to ensure they contain no malicious URLs.
  • Encrypted files exceeding 40 MB are considered malicious, and links are stripped for all other files; this is 50 MB.
  • This option also works with compressed files, with the individual files scanned as if they weren't part of a compressed file. If malicious links are found in an attachment, the action taken depends on the "Action" setting (above). Stripped files are logged under Monitoring | Attachments in the Administration Console.

URL File Download 

Malicious detections are logged under the Monitoring | URL Protection menu item.

If enabled, a check is made to ascertain if the URL points to a download file of the specific file types listed below. If a URL points to one of these file types and is found to be potentially dangerous, you can set this option to warn or block the file. You can sandbox the file if you have Targeted Threat Protection – Attachment Protect.
HTML, TXT, PDF Archived files in .ZIP, .BZIP, .GZIP, .JS, .RAR, .TAR, .LHA, .LZH and .XZ format, all Microsoft Office file formats, and all Open Office file formats.

If User Awareness notifications are enabled, users can download the scanned file via the email notification for 12 hours, after which they'll be retaken through the checking process.
Advanced Similarity Checks If selected URLs are checked for advanced attacks, where links appear similar to your internal and monitored external domains. Select at least one of the additional options below:
  • Check Internal Domains: Check links against your internal domains.
  • Check Mimecast Monitored External Domains: Checks links against Mimecast monitored external domains.
  • Check Custom-Monitored External Domains: Check links against your custom-monitored external domains. To update your custom domains, click the Custom Monitored External Domains button at the top of the URL Protection definition list. See Custom Monitored External Domains.
Enable Notifications If enabled, notifications can be sent to specific users should a policy be triggered. You can notify the following:
  • Notification Group: Use the Lookup button to select a group of users to be notified when a user clicks on an unsafe URL.
  • Internal Sender: If selected, a notification is sent to the message's internal sender if there is an unsafe URL.
  • Internal Recipient: If selected, a notification is sent to the message's internal recipient if there is an unsafe URL.

See Also...

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.